New Blog Spammer Hack?

My brother just discovered a mean blog content hack in an RSS feed. Somebody managed to insert a div with spam text into a blog entry's content (and in one case even into the description meta tag). As opposed to 'normal' comment spam (see rel=nofollow), content spam makes it look as if the blogger recommended the link, which (I presume) gives it a higher google ranking.

So why does the blogger not notice the inserted text? The height and width of the div are zero, so the text is hidden. Some feedreaders however preview entries without div styles, so the inserted text is visible in the RSS feed.

By googling for variations of the link text, I found 7 more blogs. Sure, eight is far from a botnet epidemic. Still it's strange how the same hidden text turns up in the content of eight unrelated blogs. Do they have anything in common?

The eight cases I saw all run on Wordpress, but on different versions. This still does not explain why only these eight were affected. If someone had 'teh über h4ck' to insert arbitrary text into other people's blogs, there'd be A LOT more cases, you would think. So is the common denominator something more simple, such as a weak password? But then, why only wordpress...?

If you have a wordpress blog, please quickly search the page source for a div with style='overflow:auto;width:0;height:0; and tell us whether you got one too. I'd really like to get to the bottom of this Easter mystery...

PS: Update

OK, I found out more. Somebody indeed exploited a bug in WordPress' XML-RPC interface to insert text into certain versions of WordPress blogs. They patched it, but users didn't update.

Do CMS providers like wordpress have something like the netbeans update center? Can they send users a message reminding them to update? I assume not (unless the user signs up to a mailinglist). :(

The recommendation is not only to update to the latest patched version, you also should change your password.

Comments:

One of the blogs I follow, coilhouse.net, which does run on wordpress, got hit by this one. Not sure if this is one of the ones you know about, but it might very well be a site you want to check out.

Cheers.

Posted by Joe on March 25, 2008 at 04:01 AM CET #

I had this happen on my Wordpress blog twice in the past week, once before and once \*after!\* I upgraded to the newest version of Wordpress (I, wrongly, figuring that the upgrade would fix whatever security hole allowed it).

And, sure enough, the blog got yanked from Google's blog index. Argh!

I'd never have spotted the problem if it wasn't for a reader who happened to notice it via their RSS reader.

Posted by John on March 28, 2008 at 07:04 AM CET #

If even the latest version is vulnerable, then all WordPress blogs could be at risk.

Posted by Mike Abundo on March 28, 2008 at 09:59 AM CET #

Here's a scary thought: what if you found only eight infections because the rest were already deindexed by Google?

This could be just the tip of the iceberg.

Posted by Mike Abundo on March 28, 2008 at 09:06 PM CET #

If Google really deindexes the affected ones, then that's a very valid point you make, Mike! :-o

Posted by Seapegasus on April 03, 2008 at 01:25 PM CEST #

Post a Comment:
Comments are closed for this entry.
About

NetBeans IDE, Java SE and ME, 3D Games, Linux, Mac, Cocoa, Prague, Linguistics.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
News

No bookmarks in folder

Blogroll